Swagger-ui: After adding an api key, the operations are not refreshed.

Created on 16 Jul 2018 · 3Comments · Source: swagger-api/swagger-ui

Q&A (please complete the following information)

OS: Windows10
Browser: Any
Version: 3.0.0
Swagger-UI version: 3.0.0

Describe the bug you're encountering

We are using an DocumentFilter to filter out all methods that an user doesn't have authorization to use.
That was working fine in the version 1.0.0. We would add the bearer and the page would reload all the endpoints again, bringing all the methods that the user has permission to use according to the entered token.

I updated to 3.0.0 and this is no longer working. Swagger-UI is not reloading the operations after adding an api key, therefore the user can't see the endpoints protected by permissions.

If I reload the page after adding the token, all is lost (the token is not there anymore).

Also, the popup is not closing automatically after clicking "Authorize". No javascript erros are shown on the browser console.

How to accomplish endpoint filtering according to permission in version 3.0.0?

lock-bot

Source

andrecarlucci

Most helpful comment

@andrecarlucci - you're mixing two independent projects (Swashbuckle & swagger-ui) in your issue description. To prevent you from getting redirected back to the Swashbuckle repo, I thought I might interject and try to describe your issue purely in terms of the swagger-ui project, which I believe to be the root cause:

__Q&A (please complete the following information)__
OS: Windows10
Browser: Any
swagger-ui version: 3.17.1

__Describe the bug you're encountering__
We have logic implemented at the Swagger JSON endpoint to only output certain Operations when the request for Swagger JSON (e.g. swagger/v1/swagger.json) contains a valid api key.

In the 2.x versions of the swagger-ui, it appears that the Swagger JSON is automatically re-fetched, and the UI re-loaded, whenever the user enters an api_key through the authorization UI workflow. Furthermore, the api key is included in the Swagger JSON request.

This turned out to be very convenient because it resulted in the end-user only being able to view operations that they're actually authorized to invoke. However, in the 3.x versions of the swagger-ui, this re-fetch/re-load doesn't appear to be happening. Is this by design? If so, could you suggest an alternative workaround to achieve the same result with the latest UI?

domaindrivendev on 17 Jul 2018

👍3 ❤1

All 3 comments

__Q&A (please complete the following information)__
OS: Windows10
Browser: Any
swagger-ui version: 3.17.1

domaindrivendev on 17 Jul 2018

👍3 ❤1

I am also experiencing this problem with an authorization filtered endpoint using OAuth2 and JWT.

I have put a workaround in place using a plugin action and request interceptor, but I am not a react developer and it seems like it could likely be improved:

configObject.plugins = [
        function (system) {
            configObject.system = system;
            return {
                statePlugins: {
                    auth: {
                        wrapActions: {
                            authorizeOauth2: (oriAction, system) => (a) => {
                                var r = oriAction(a);
                                system.specActions.download();
                                return r;
                            }
                        }
                    }
                }
            }
        }
    ];

configObject.requestInterceptor = function(e) {
    var token = configObject.system.auth().getIn(["authorized", "oauth2", "token", "access_token"]);
    if (token != null && e.headers.authorization == null) {
        e.headers.authorization = "Bearer " + token;
    }
    return e;
}